Re: ETA on functional RHEL 8 content?

Sun, 02 Jun 2019 11:34:53 -0700 


On 6/2/19 2:24 PM, Shawn Wells wrote:
Attempting to use the RHEL 8 data streams, but even 'oscap info' fails using the latest release [0]: 


# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.3.xml
Document type: Source Data Stream
Imported: 2019-06-02T11:16:07

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
    Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml

WARNING: Datastream component 
'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml.bz2' 
points out to the remote 
'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2'. 
Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 
'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2' 
file which is referenced from datastream
OpenSCAP Error: Could not extract 
scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies 
from datastream. [ds_sds_session.c:211]




Looking at the ssg-rhel8-ds-1.3 file there are lots of mentions to 
SCAP 1.2 instead of 1.3?




[0] 
https://github.com/ComplianceAsCode/content/releases/download/v0.1.44/scap-security-guide-0.1.44-redhat-SCAP-1.3.zip 




p.s. this also happens with upstream:

$ ./build_product rhel8
$ oscap info build/ssg-rhel8-ds-1.3.xml
Document type: Source Data Stream
Imported: 2019-06-02T14:27:51

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
Generated: (null)
Version: 1.3
Checklists:
    Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml

WARNING: Datastream component 
'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' 
points out to the remote 
'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. 
Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 
'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' 
file which is referenced from datastream
OpenSCAP Error: Could not extract 
scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml with all dependencies 
from datastream. [ds_sds_session.c:211]




The rhel8 1.2 datastream appears fine when using "oscap info," but using 
it also results in an error:



$ oscap info build/ssg-rhel8-ds.xml
Document type: Source Data Stream
Imported: 2019-06-02T14:27:50

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml
Generated: (null)
Version: 1.2
Checklists:
    Ref-Id: scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml
        Status: draft
        Generated: 2019-06-02
        Resolved: true
        Profiles:

            Title: Criminal Justice Information Services (CJIS) 
Security Policy

                Id: xccdf_org.ssgproject.content_profile_cjis

            Title: Unclassified Information in Non-federal Information 
Systems and Organizations (NIST 800-171)

                Id: xccdf_org.ssgproject.content_profile_cui

            Title: Health Insurance Portability and Accountability Act 
(HIPAA)

                Id: xccdf_org.ssgproject.content_profile_hipaa

            Title: Protection Profile for General Purpose Operating 
Systems

                Id: xccdf_org.ssgproject.content_profile_ospp

            Title: PCI-DSS v3.2.1 Control Baseline for Red Hat 
Enterprise Linux 8

                Id: xccdf_org.ssgproject.content_profile_pci-dss

            Title: Red Hat Corporate Profile for Certified Cloud 
Providers (RH CCP)

                Id: xccdf_org.ssgproject.content_profile_rht-ccp

            Title: Standard System Security Profile for Red Hat 
Enterprise Linux 8

                Id: xccdf_org.ssgproject.content_profile_standard
        Referenced check files:
            ssg-rhel8-oval.xml
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
            ssg-rhel8-ocil.xml
                system: http://scap.nist.gov/schema/ocil/2
 https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml
                system: http://oval.mitre.org/XMLSchema/oval-definitions-5
Checks:
    Ref-Id: scap_org.open-scap_cref_ssg-rhel8-oval.xml
    Ref-Id: scap_org.open-scap_cref_ssg-rhel8-ocil.xml
    Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-oval.xml
Dictionaries:
    Ref-Id: scap_org.open-scap_cref_ssg-rhel8-cpe-dictionary.xml


$ sudo atomic scan --scan_type configuration_compliance --scanner_args 
xccdf-id=scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml,profile=xccdf_org.ssgproject.content_profile_ospp,report 
registry.redhat.io/ubi8/ubi-minimal --scanner openscap-ncp
docker run -t --rm -v /etc/localtime:/etc/localtime -v 
/run/atomic/2019-06-02-07-30-02-549130:/scanin -v 
/var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130:/scanout:rw,Z 
-v /etc/oscapd:/etc/oscapd:ro openscap-ncp:latest oscapd-evaluate scan 
--targets chroots-in-dir:///scanin --output /scanout --no-cve-scan 
--fix_type bash -j1 --xccdf-id 
scap_org.open-scap_cref_ssg-rhel8-xccdf-1.2.xml --profile 
xccdf_org.ssgproject.content_profile_ospp --report


registry.redhat.io/ubi8/ubi-minimal (3bfa511b67f8277)

     registry.redhat.io/ubi8/ubi-minimal is not supported for this scan.


Files associated with this scan are in 
/var/lib/atomic/openscap-ncp/2019-06-02-07-30-02-549130.




_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]






















					Reply via email to